Nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey, threat hunters have discovered new activity linked to the Iranian threat actor known as Infy (also known as Prince of Persia).
“The scale of Prince of Persia’s activities is more significant than we originally anticipated,” Tomer Barr, vice president of security research at SafeBreach, said in a technical breakdown shared with Hacker News. “This threat group remains active, relevant, and dangerous.”
According to a report published by Palo Alto Networks Unit 42 in May 2016, Infy is one of the oldest advanced persistent threat (APT) actors in existence, with early evidence of activity dating back to December 2004. The report was also written by Barr and researcher Simon Conant.
The group also attracts little attention and remains elusive, unlike other Iranian groups such as Charming Kitten, MuddyWater, and OilRig. The attacks launched by this group primarily utilize two types of malware. One is a downloader and the other is a victim profiler named Foudre, which runs a second stage implant called Tonnerre to extract data from high-value machines. Foudre is known to be distributed through phishing emails.
SafeBreach’s latest findings reveal a covert campaign using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50) to target victims in Europe as well as Iran, Iraq, Turkey, India, and Canada. The latest version of Tonnerre was detected in September 2025.
Attack chains have also seen a shift from Microsoft Excel files containing macros to embedding executable files within such documents to install Foudre. Perhaps the most notable aspect of threat actors’ modus operandi is their use of domain generation algorithms (DGA) to increase the resiliency of command and control (C2) infrastructure.
Additionally, Foudre and Tonnerre artifacts are known to verify the authenticity of C2 domains by downloading RSA signature files. The malware then uses the public key to decrypt the file and compares it to the locally stored verification file.
SafeBreach’s analysis of the C2 infrastructure also revealed a directory named “key” used for C2 verification, as well as other folders storing communication logs and exfiltrated files.
“Every day, Foodle downloads a proprietary signature file encrypted with an RSA private key by the threat actor and uses RSA validation with an embedded public key to verify that this domain is an authorized domain,” Bar said. “The format of the request is:
“https:///key/.sig”
The C2 server also has a “Downloads” directory whose current purpose is unknown. It is suspected that it is used to download and upgrade new versions.
Meanwhile, the latest version of Tonnerre includes a mechanism to contact Telegram groups (named سرافراز, which means “proudly” in Persian) through a C2 server. This group has two members. A user with the handle “@ehsan8999100” and a Telegram bot “@ttestro1bot” that is believed to be used for issuing commands and collecting data.
Using messaging apps on C2 is not unusual, but what’s notable is that information about Telegram groups is stored in a file named “tga.adr” in a directory called “t” on the C2 server. Please note that the download of the “tga.adr” file can only be triggered for a specific list of victim GUIDs.
Other older variants used in the Foudre campaign from 2017 to 2020 were also discovered by cybersecurity firms.
A version of Foudre disguised as Amaq News Finder that downloads and runs malware A new version of the Trojan called MaxPinner, downloaded by the Foudre version 24 DLL to spy on Telegram content Similar to Amaq News Finder, a variant of the malware called Deep Freeze is used to infect victims with Foudre Unknown malware called Rugissement
“Despite what appeared to be a dark turn in 2022, Prince of Persia threat actors did just the opposite,” Safebreach said. “Our continued investigative efforts against this prolific and elusive group have uncovered important details about their activities over the past three years, their C2 servers, and the malware variants they have identified.”
The disclosure comes as DomainTools’ continued analysis of the Charming Kitten leak sheds light on a broader picture of a hacker group operating like a government department while carrying out “clerical precision espionage.” It has also been revealed that this threat actor is behind the Moses Staff persona.
“APT 35, the same administrative machine running Tehran’s long-running credential phishing campaign, also ran the logistics of running Moses Staff’s ransomware theater,” the company said.
“Alleged hacktivists and government cyber forces share not only tools and targets, but also the same accounts payable system. The propaganda and espionage departments are two products of a single workflow, different ‘projects’ under the same internal ticketing system. ”
Source link
